Checking XProtect and Gatekeeper update status on Macs

As part of making sure that XProtect and Gatekeeper are providing up-to-date protection, it can be worthwhile to see when your Mac received the latest updates from Apple for both XProtect and Gatekeeper. As both are background processes, as well as also receiving Config Data updates silently in the background, it’s not always obvious when updates have been applied.

To assist with this, I’ve written a couple of scripts to report the last time that Gatekeeper and XProtect have been updated on a particular Mac. For more details, see below the jump.

XProtect

To check XProtect’s update status, I’ve written the script below. Based on the OS version of the Mac in question, it will take the following actions:

Macs running 10.5.8 and earlier – The script will display a message stating “XProtect not available for” followed up by the OS version number

Macs running 10.6.x through 10.8.x – The script will check XProtect’s /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist file for the file’s last-modified date, then report the date in a human-readable date format.

Macs running 10.9.x and later – The script will check the installer package receipts for XProtect update installer packages for the relevant version of Mac OS X, then report the installation date of the most recent update in a human-readable date format.

To check Gatekeeper’s update status, I’ve written the script below. Based on the OS version of the Mac in question, it will take the following actions:

Macs running 10.7.4 and earlier – The script will display a message stating “Gatekeeper not available for” followed up by the OS version number.

Macs running 10.7.5 – The script will display a message stating “Gatekeeper update status not available for” followed up by the OS version number.

Macs running 10.8.x and later – The script will check the installer package receipts for Gatekeeper update installer packages for the relevant version of Mac OS X, then report the installation date of the most recent update in a human-readable date format.

Won’t work in El Capitan 10.11.4: “The domain/default pair of (/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/XProtect.meta.plist, LastModification) does not exist”. There you need to determine modification date/time directly from the file.

Apple’s System Information tool already shows all of this (hold the option key while clicking on the Apple menu at the top left of the screen and select System Information…).

Under the Software heading click on Installations, all the install dates and versions are there (except XProtectPlistConfigData reads as version 1.0 for some reason instead of reading the Version string from the actual plist).

Apple’s System Information app provides all of this info. You can find it by holding option while clicking on the Apple menu at the top left of the screen and selecting System Information.

On the left pane, scroll down to the Software category then Installations. Gatekeeper is under “Gatekeeper Configuration Data” and XProtect is under “XProtectPlistConfigData” (it seems there’s a bug with the XProtect version number because it always shows version 1.0 instead of the Version value from XProtect.meta.plist).